Protecting Patient Health Information - A Hard Look

In the recent past, information systems in healthcare organizations have become vulnerable to hacking. This in turn is making patient data susceptible to misuse. A study in 2016, pegged the cost of data breaches in the healthcare industry at $6.2Bn . While some of these were small, the major ones affected millions of people. As in the case of Banner Health, one of the largest nonprofit health systems in the US, which suffered a data breach in 2016 that compromised the details of 3.7 million patients. Hackers gained access to the organization's data through the point of sale (PoS) system.

A reason why healthcare organizations have become soft targets for hackers is because they store a large amount of sensitive customer data. Usually this data is stored in a single database. So when hackers gain access, they access the entire cache. This personally identifiable and health-related information is also valuable to organizations in a number of other industries. In this blog post, I highlight areas that make healthcare organizations vulnerable to hackers and discuss possible ways to address the problem.

Locating vulnerabilities that lead to security breaches

Just as in other industries, data and technology are coming together as key drivers of the healthcare industry. Organizations are still firming up on strategies to collect, store and analyze their data. They are also trying to formulate AI-driven solutions that they can leverage to personalize patient engagement. The lowering of security to facilitate integration with apps and software is also contributing to vulnerabilities in the healthcare ecosystem.

Connected devices and open networks: Healthcare organizations, with their complex network of connected devices such as medical devices, HVAC systems, patient portal, wearables, and even Point of Sale (PoS) terminals, provide a potential entry for hackers. Add to this, open Wi-Fi networks and an increasing number of third-party apps and you can guess why this connected existence becomes even more hack-prone.

Business landscape is complex and fluid - Healthcare organizations collect data on individual health, socioeconomic factors, genetic factors, as well as resource use, outcomes, financing, and expenditures. This data is accessed by multiple stakeholders among payers, providers and compliance authority . As patient requirements and organizational complexity expand, mapping the flow of sensitive data within the enterprise becomes difficult. Adding to this difficulty are the changes that this data undergoes as business and network configurations change. In case of an attack, it becomes almost impossible to secure this sensitive and highly dispersed data.

Limited budgets - Healthcare security budgets continue to lag behind those of other industries. According to Forrester, healthcare organizations spend 23 percent of their IT budget on security; other critical infrastructure industries such as utilities and telecom spend 35 percent.

Regulations alone don't suffice - Data is becoming a new currency. And while the Health Insurance Portability and Accountability (HIPAA) Act of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 set a minimum standard for data security, they alone are not adequate. Healthcare organization need to consider policies that allow for continuous monitoring of this data and put in place robust technology that facilitates encryption.

In my opinion, one way to limit the risk associated with a breach is to change the approach to security. Business leaders move away from network-driven to data-driven security and view security through a holistic lens including business risk.

Developing a security-first culture

For security systems and practices to keep hackers at bay, organizations need to adopt a 'security first' culture. Security needs to be reviewed not just from an application or a node perspective, but from a business perspective as well - that is, loss of brand equity, reduced customer trust, financial loss and regulatory penalties. Mobile devices have especially put healthcare organization at a security risk. IT infrastructure needs to be constantly checked to ensure it can withstand an attack. Additionally, other systems need to be put in place to quickly analyze business impacts so that remedial action can be taken. These systems need to deliver immediate visibility, analysis and facilitate a faster response to contain the intrusion.

It is important for healthcare organizations to identify behavioral indicators of an intrusion. This is difficult if done through monitoring tools alone. People are usually the weakest link in the security system. Healthcare players need to create, communicate and enforce security policies that continuously engage people, helping and enabling them to make security a priority.